bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom
coves / .env.dev
at main 249 lines 12 kB view raw
1# Coves Local Development Environment Configuration 2# This file contains all environment variables for the local atProto development stack 3# DO NOT commit secrets to version control in production! 4 5# ============================================================================= 6# PostgreSQL Configuration (Development Database) 7# ============================================================================= 8# Development database for Coves AppView (runs on port 5435) 9POSTGRES_HOST=localhost 10POSTGRES_PORT=5435 11POSTGRES_DB=coves_dev 12POSTGRES_USER=dev_user 13POSTGRES_PASSWORD=dev_password 14 15# ============================================================================= 16# PDS (Personal Data Server) Configuration 17# ============================================================================= 18# PDS runs on port 3001 (to avoid conflict with production PDS on :3000) 19PDS_HOSTNAME=localhost 20PDS_PORT=3001 21 22# PDS Service Endpoint for DIDs 23# This is the URL that goes in DID documents' atproto_pds service endpoint 24# Must match what the PDS thinks its public URL is (internal port 3000) 25# Development: http://localhost:3000 (PDS's internal view) 26# Production: https://pds.coves.social 27PDS_SERVICE_ENDPOINT=http://localhost:3000 28 29# DID PLC Directory for PDS 30# For local E2E testing: Use local PLC (requires --profile plc) 31# Note: Use container hostname for PDS to reach PLC within Docker network 32PDS_DID_PLC_URL=http://plc-directory:3000 33 34# JWT Secret (for signing tokens - change in production!) 35PDS_JWT_SECRET=local-dev-jwt-secret-change-in-production 36 37# Admin password for PDS management 38PDS_ADMIN_PASSWORD=admin 39 40# Handle domains (users will get handles like alice.local.coves.dev) 41# Communities will use c-{name}.coves.social (3-level format with c- prefix) 42PDS_SERVICE_HANDLE_DOMAINS=.local.coves.dev,.coves.social 43 44# PLC Rotation Key (k256 private key in hex format - for local dev only) 45# This is a randomly generated key for testing - DO NOT use in production 46PDS_PLC_ROTATION_KEY=af514fb84c4356241deed29feb392d1ee359f99c05a7b8f7bff2e5f2614f64b2 47 48# ============================================================================= 49# AppView Configuration (Your Go Application) 50# ============================================================================= 51# AppView runs on port 8081 (to avoid conflicts) 52APPVIEW_PORT=8081 53 54# PDS Firehose URL (WebSocket connection - direct to PDS, no relay) 55FIREHOSE_URL=ws://localhost:3001/xrpc/com.atproto.sync.subscribeRepos 56 57# PDS URL (for XRPC calls) 58PDS_URL=http://localhost:3001 59 60# ============================================================================= 61# Test Database Configuration 62# ============================================================================= 63# Test database runs on port 5434 (separate from dev on 5433) 64POSTGRES_TEST_DB=coves_test 65POSTGRES_TEST_USER=test_user 66POSTGRES_TEST_PASSWORD=test_password 67POSTGRES_TEST_PORT=5434 68 69# ============================================================================= 70# Jetstream Configuration (Read-Forward User Indexing) 71# ============================================================================= 72# Jetstream WebSocket URL for real-time atProto events 73# 74# Production: Use Bluesky's public Jetstream (indexes entire network) 75# JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.actor.profile 76# 77# Local E2E Testing: Use local Jetstream (indexes only local PDS) 78# 1. Start local Jetstream: docker-compose --profile jetstream up pds jetstream 79# 2. Use this URL: 80JETSTREAM_URL=ws://localhost:6008/subscribe?wantedCollections=social.coves.actor.profile 81 82# Optional: Filter events to specific PDS 83# JETSTREAM_PDS_FILTER=http://localhost:3001 84 85# ============================================================================= 86# Identity Resolution Configuration 87# ============================================================================= 88# IMPORTANT: In dev mode (IS_DEV_ENV=true), identity resolution automatically 89# uses PLC_DIRECTORY_URL to ensure E2E tests stay local. In production, you 90# can optionally set IDENTITY_PLC_URL to use a different URL for read operations. 91# 92# For local dev: Leave IDENTITY_PLC_URL unset (uses PLC_DIRECTORY_URL) 93# For production: Optionally set IDENTITY_PLC_URL=https://plc.directory 94 95# Cache TTL for resolved identities (Go duration format: 24h, 1h30m, etc.) 96IDENTITY_CACHE_TTL=24h 97 98# ============================================================================= 99# OAuth Configuration 100# ============================================================================= 101# OAuth client private key (ES256 keypair - generate with: go run cmd/genjwks/main.go) 102# DO NOT commit this to version control in production! 103# 104# Supports two formats: 105# 1. Plain JSON (easier for local development): 106# OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256",...} 107# 108# 2. Base64 encoded (recommended for production to avoid shell escaping): 109# OAUTH_PRIVATE_JWK=base64:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Ii... 110# Generate with: echo '{"alg":...}' | base64 -w 0 111# 112OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"} 113 114# Cookie secret for session encryption (generate with: openssl rand -hex 32) 115# Also supports base64: prefix for consistency 116OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d 117 118# Seal secret for OAuth session tokens (AES-256-GCM encryption) 119# Generate with: openssl rand -base64 32 120# This must be 32 bytes when base64-decoded for AES-256 121# OAUTH_SEAL_SECRET=ryW6xNVxYhP6hCDA90NGCmK58Q2ONnkYXbHL0oZN2no= 122 123# OAuth Confidential Client Configuration (optional, for testing) 124# If both are set, Coves becomes a confidential OAuth client with 90-day session lifetime 125# (Public clients are limited to 14 days by the auth server) 126# Generate keys with: go run ./cmd/tools/generate-oauth-key 127 128# Generated: 2026-02-05T22:49:41-08:00 129# WARNING: Keep this private key secure! Never commit to version control. 130OAUTH_CLIENT_PRIVATE_KEY=z42ti3ZG2JDj4RvFKdovxbgHB9Q4uvwsPvew8NQaxKxdfTLY 131OAUTH_CLIENT_KEY_ID=coves-key-1770360581 132 133# AppView public URL (used for OAuth callback and client metadata) 134# Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252) 135# Prod: https://coves.social 136APPVIEW_PUBLIC_URL=http://127.0.0.1:8081 137 138# ============================================================================= 139# Coves Instance PDS Authentication 140# ============================================================================= 141# The Coves instance needs a PDS account to write community records 142# Create this account once: curl -X POST http://localhost:3001/xrpc/com.atproto.server.createAccount 143PDS_INSTANCE_HANDLE=testuser123.local.coves.dev 144PDS_INSTANCE_PASSWORD=test-password-123 145 146# Trusted Aggregator DIDs (bypasses community authorization check) 147# Comma-separated list of DIDs 148# - did:plc:yyf34padpfjknejyutxtionr = kagi-news.coves.social (production) 149# - did:plc:igjbg5cex7poojsniebvmafb = test-aggregator.local.coves.dev (dev) 150TRUSTED_AGGREGATOR_DIDS=did:plc:yyf34padpfjknejyutxtionr,did:plc:igjbg5cex7poojsniebvmafb,did:plc:jn4tlbpkdms5tahfrylct5g7 151 152# ============================================================================= 153# Development Settings 154# ============================================================================= 155# Environment 156ENV=development 157NODE_ENV=development 158# Always true for local development (use PLC_DIRECTORY_URL to control registration) 159IS_DEV_ENV=true 160 161# Security: Skip did:web domain verification for local development 162# IMPORTANT: Set to false in production to prevent domain spoofing attacks 163# When true, communities can claim any hostedByDID without verification 164# When false, hostedByDID must match the community handle domain 165SKIP_DID_WEB_VERIFICATION=true 166 167# Authentication: Skip JWT signature verification for local development (Phase 1) 168# IMPORTANT: Set to false in production for full signature verification 169# When true, only parses JWT without verifying signature (trusts any valid JWT format) 170# When false, verifies JWT signature against issuer's JWKS 171AUTH_SKIP_VERIFY=true 172 173# HS256 Issuers: PDSes allowed to use HS256 (shared secret) authentication 174# Must share PDS_JWT_SECRET with Coves instance. External PDSes use ES256 via DID resolution. 175# For local dev, allow the local PDS or turn AUTH_SKIP_VERIFY = true 176HS256_ISSUERS=http://localhost:3001 177 178# Logging 179LOG_LEVEL=debug 180LOG_ENABLED=true 181 182# ============================================================================= 183# PLC Directory Configuration 184# ============================================================================= 185# URL for PLC (Public Ledger of Credentials) directory 186# 187# For local E2E testing with registration: http://localhost:3002 (requires --profile plc) 188# - Registers DIDs with local PLC directory 189# - Safe for testing, won't pollute production plc.directory 190# - PDS must also be configured to use local PLC (see PDS_DID_PLC_URL) 191# 192# Production: https://plc.directory (currently Bluesky's, will transfer to third party) 193# - DO NOT use production PLC for testing! 194# 195PLC_DIRECTORY_URL=http://localhost:3002 196 197# ============================================================================= 198# Dev Mode Quick Reference 199# ============================================================================= 200# REQUIRED for local OAuth to work with local PDS: 201# IS_DEV_ENV=true # Master switch for dev mode 202# PDS_URL=http://localhost:3001 # Local PDS for handle resolution 203# PLC_DIRECTORY_URL=http://localhost:3002 # Local PLC directory 204# APPVIEW_PUBLIC_URL=http://127.0.0.1:8081 # Use IP not localhost (RFC 8252) 205# 206# BUILD TAGS: 207# make run - Runs with -tags dev (includes localhost OAuth resolvers) 208# make build - Production binary (no dev code) 209# make build-dev - Dev binary (includes dev code) 210# 211# Dev-only code (only compiled with -tags dev): 212# - internal/atproto/oauth/dev_resolver.go (handle resolution via local PDS) 213# - internal/atproto/oauth/dev_auth_resolver.go (localhost OAuth bypass) 214# 215# ============================================================================= 216# Notes 217# ============================================================================= 218# All local development configuration in one file! 219# - Dev PostgreSQL: port 5435 220# - Test PostgreSQL: port 5434 (via --profile test) 221# - PDS: port 3001 (avoids conflict with production on :3000) 222# - AppView: port 8081 223# - PDS is self-contained (SQLite + CAR files) 224# - PostgreSQL is only for Coves AppView indexing 225# - AppView subscribes directly to PDS firehose (no relay needed) 226# - PDS firehose: ws://localhost:3001/xrpc/com.atproto.sync.subscribeRepos 227 228 229# ============================================================================= 230# Image Proxy Configuration 231# ============================================================================= 232# On-the-fly image resizing with disk caching 233# Defaults to enabled - falls back to direct PDS URLs if proxy fails 234IMAGE_PROXY_ENABLED=true 235IMAGE_PROXY_BASE_URL=http://127.0.0.1:8081 236IMAGE_PROXY_CACHE_PATH=./cache/images 237IMAGE_PROXY_CACHE_MAX_GB=5 238# Optional: CDN URL for production (leave empty for local dev) 239# IMAGE_PROXY_CDN_URL= 240IMAGE_PROXY_FETCH_TIMEOUT_SECONDS=30 241IMAGE_PROXY_MAX_SOURCE_SIZE_MB=10 242 243# ============================================================================= 244# OpenTelemetry Observability (Optional) 245# ============================================================================= 246# Disabled by default. Enable for local Jaeger: docker compose --profile observability up 247OTEL_ENABLED=false 248# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317 249# OTEL_SERVICE_NAME=coves-appview-dev